Since Windows will manage your keys, you don't have to manage keys yourself. In Java, never think about writing your own mechanism to manage keys and store passwords. It is simply not secure because, any one having access to your .jar file can easily reverse engineer to the source code files and obtain your mechanism. CryptProtectData() is the way to go

Split your Java application into two parts. Front-end, dealing with HTTP requests and back-end, dealing with database. They communicate with each other over a simple API (IPC). Therefore, database credentials stay in the back-end application and remain secure even if front-end application gets compromised. Make sure each application runs under it's own user and that they cannot access each other's files. If you are using Linux, I recommend using MAC like SELinux, TOMOYO, AppArmor to isolate the applications. Alternatively, you can run each application inside it's own VM or even physical machine, but that would be a waste of resources.